Thunderbird and its email and calendar security improvements

Thunderbird has been one of the for years reference open source email and calendar clientsAnd in its latest versions, it's making significant strides in security, stability, and integration with major email and cloud service providers. If you use it daily for work or to manage multiple accounts, you've probably already noticed that it's becoming less and less like that "just email" client and more and more like a complete everyday solution.

In recent branches, such as versions 140 ESR, 141, 145 and 148The project combines highly technical internal changes with improvements visible to everyone: more secure authentication (PKCE, modern OAuth2, NTLM for EWS), calendar fixes (Google Calendar, CalDAV, iCal and time zones), native support for microsoft ExchangeA general interface overhaul, accessibility improvements, and new features designed for those managing large inboxes. All of this is part of a larger strategic move: the arrival of Thunderbird Pro with its own email, calendar and file sharing services, in direct competition with Gmail and Microsoft 365.

Thunderbird 148: focus on safety, refinement and everyday use

Version Thunderbird 148 is distributed as a free update For Windows, macOS, and GNU/Linux, it can be updated either through the built-in automatic update system or by downloading the installer from the official website. This is not an ESR version, so those who prefer a more gradual update cycle can remain on the current branch. 140.x ESRwhile those who want to go to the latest version have the "fast" branch at 148.

This release is more geared towards Internal fixes, stability, and security patches that includes spectacular visual redesigns. The developers have patched multiple vulnerabilities, some of them classified as high severity, integrating the patches directly into the update. By applying the update, the user is protected against the most recent known flaws.

On the visible side, Thunderbird 148 polishes interface details and fixes bugs that were annoying in daily use, such as problems with the periodic email polling after suspending the computer or losing the connectionMinor errors in handling folders, labels and filters, or calendar-related crashes, especially in environments with CalDAV and Google Calendar.

Along with 148, the following has also been published Thunderbird 140.8ESRwhich maintains the extended support model for users and organizations that prioritize maximum stability over new features. In this way, the project offers a clear balance between those who want a "sure thing" and those who don't mind receiving updates more frequently.

Easier access and folder management

One of the areas where the refinement of the Thunderbird 148 is most noticeable is in the accessibility of tree viewsThese features are present in account lists, folders, and other elements. Efforts have been made to make navigation with keyboards, screen readers, and assistive technologies more consistent and clear, which is crucial for users with visual impairments or those who simply prefer to navigate without a mouse.

The view has also been improved “Unread folders”Starting with this version, when a folder is marked as read, it no longer appears correctly in that view, preventing the typical confusion for those managing dozens of inboxes with large volumes of email. It seems like a minor detail, but in reality, it saves a lot of time looking at folders that are already up to date.

Another practical improvement is that the option to “Favorites” can be used as a destination Directly on the "Move to" and "Archive" buttons. This allows you to send messages to the folders you use most often without having to navigate through the entire tree each time, reducing clicks and wasted time, especially for those who archive email in a very granular way.

These improvements are complemented by minor interface adjustments, such as the correction of a donation banner that sometimes remained in the foreground even when Thunderbird was running in the background, or status messages that displayed unfriendly IMAP identifiers instead of understandable folder names.

Security enhancement: PKCE, NTLM and modern authentication

In terms of security, Thunderbird 148 takes several important steps in line with the current requirements of email providers and cloud services. One of the most significant changes is the Migration of Yahoo, AT&T, and AOL accounts to PKCE (Proof Key for Code Exchange) over OAuth 2.0. This extension hardens the authentication process against attempts to intercept the exchange of credentials, something especially relevant in mobile connections or public networks.

Thanks to this change, user sessions in these services are now better protected against man-in-the-middle attacks and token theft, reinforcing a critical security vector without forcing the user to complicate their credentials or activate additional inconvenient steps.

Furthermore, for corporate environments that work with Exchange Web Services (EWS)Thunderbird 148 exposes NTLM as an additional authentication method. This extends compatibility with enterprise configurations where NTLM is still common, particularly in European deployments that combine on-premises servers with diverse clients.

All of this also fits with the context of Modern authentication that providers like Microsoft are demandingMany users have received emails warning that, starting September 16, 2024, applications that only connect with a username and password (without OAuth2 or other modern methods) will no longer have access to Outlook.com, Hotmail, or Live.com accounts. In this scenario, using clients that support modern authentication, such as Thunderbird in its current versions, is no longer optional but a requirement for secure email synchronization.

Key email fixes: polling, tags, and attachment handling

In daily email use, Thunderbird 148 fixes a particularly irritating error: the periodic polling for new messages could be stopped silently after the computer went into sleep mode or there were network outages. With the new version, the client recovers better from these situations and reliably resumes email checking.

Aspects of the thread presentation have also been tweaked so that the make the distinction between new and unread messages clearer in collapsed conversations. This helps avoid overlooking important emails buried within long threads.

Regarding organization, a problem has been fixed where the dialog box for creating new folders allowed generating directories without a valid parent folder or that are directly invalidThis could break the folder structure or cause errors on demanding IMAP servers.

The interaction between tags, filters, and the quick filter also receives attention: now the Unlabeled messages behave correctly by filtering, avoiding inconsistent results. Similarly, the handling of saved searches within the “unified folder”which in certain cases could cause server errors by mixing several mailboxes under a single view.

Previous versions also contained a rather frustrating bug where the The delete button could delete an attachment instead of the entire message.In the 141 series, this behavior is corrected, and messages opened in tabs can now properly recreate calendar events or tasks from the email, without erratic behavior.

Thunderbird 141: Improvements to notifications, OpenPGP, and POP3 accounts

Version Thunderbird 141Version 148, prior to version 148, introduced two very useful features that enhance both productivity and security. On the one hand, it is now possible archive emails directly from system notificationswithout having to open the program's main window. This speeds up email triage: you read the notification, archive it, and get on with your work.

On the other hand, the message editor includes a notification when your The configured OpenPGP key is about to expireThis advance reminder prevents you from suddenly being unable to encrypt or sign messages, which is critical for those who work with sensitive communications and need encryption to function without interruption.

The 141st also focused on resolving stability and usability problemsOne of the most serious issues was related to the analysis of message status, which could particularly affect users with huge amounts of email or who constantly switched tabs within the client.

In addition, bugs in the POP3 account setup and operationAlong with several folder management issues: incorrect sorting of new folders, errors in creating archive folders, or interruptions during compaction due to write errors. For those using POP3 or highly customized folder structures, these changes make a significant difference.

They have also been refined interface details and visual behavior, such as the behavior of the status bar when hovering over attachments, which now behaves in a more predictable way and in accordance with what the user expects.

Exchange integration: from EWS support in 148 to native Exchange in 145

One of Thunderbird's major bets for the professional environment is the native support for Microsoft ExchangeIn versions like 148, the operation of accounts based on Exchange Web Services (EWS) has already been perfected, and in Thunderbird 145 the definitive leap was made with full native integration.

El November 18th 2025 Thunderbird 145 was launched, which included for the first time Full native support for Exchange accounts via EWSThis allows for seamless synchronization of email, calendar events, and contacts with Exchange servers, without relying on third-party plugins that were historically fragile or became unmaintained.

For IT departments and infrastructure managers, this represents a significant change: risk associated with third-party extensions decreasesDeployment is simplified for companies that want to adopt open-source clients, and problems arising from uncoordinated update cycles between plugin and client are reduced.

However, the context must be taken into account: Microsoft has announced the deactivation of EWS in Exchange Online Starting October 1, 2026, although the protocol will remain available indefinitely on on-premises Exchange servers. This forces Thunderbird to move towards supporting the Microsoft Graph API to maintain compatibility with Exchange in the cloud, a goal that the project has placed on its roadmap.

Meanwhile, the current implementation on EWS in Thunderbird enables features such as OAuth2 configuration, server-side folder management, message reading and composition, attachment management, and subject and body searchSome capabilities, such as advanced synchronization of calendars or address books across all Exchange Online scenarios, will be expanded as the transition to Graph progresses.

Account Hub, credential management and OAuth providers

In parallel with EWS support, Thunderbird has worked on the Account Hub and the account setup wizard To make adding services like Exchange less painful, Thunderbird 148 has fixed several issues with the manual configuration of Exchange accounts, which previously could leave the user in a confusing or even incorrect workflow.

Among the corrections, the cases in which the EWS password request entered an infinite loop When the field was left blank, there were also bugs that prevented saving credentials for new password-based accounts in the internal password manager. Now the integration is more stable, which is critical in mixed environments that combine corporate servers and cloud services.

The treatment of Unknown OAuth providers during manual EWS configurationPreviously, requests could be rejected without a clear explanation, complicating connections to certain organizational servers. For Gmail accounts, OAuth requests that appeared illogically when adding accounts via automatic configuration have been corrected.

The Account Hub now also displays the sections in a more consistent way. calendar and address bookIn some scenarios, empty entries appeared without any configured elements, which was confusing. With the latest revisions, the interface is more consistent and less likely to mislead the user.

All of this is in addition to minor usability improvements, such as the correction of keyboard shortcuts that continued to work in background windows within the Account Hub, or the proper recording of the "Move message to" filter action in the activity logs.

Calendar: Google Calendar, CalDAV, iCal and time zones

The calendar is another major beneficiary of recent updates. In Thunderbird 148, the calendar has been revised. Response logic (RSVP) with Google CalendarPreviously, the system could assign the wrong organizers when creating new events or handle RSVPs in a confusing way. With these changes, organizer assignment and guest responses are now more reliable.

In CalDAV environments, errors that reached even close Thunderbird unexpectedly in specific scenarios. For example, calendars with multiple associated addresses could cause crashes when handling invitations with several participants, and calendars that used "aliases" did not always show all available response options.

One technical point with a direct impact on daily life is the Importing iCal (ICS) files and handling time zonesUntil now, certain unfamiliar time zones were interpreted as GMT, which shifted the times of imported events and disrupted appointments. The import engine has been adjusted to prevent these erroneous changes, improving accuracy when working with non-standard time zones or international calendars.

These adjustments are especially relevant in European contexts where meetings between several countries with different time zones are common, as well as for professionals who receive invitations generated by various systems (booking tools, event platforms, etc.). The goal is for Thunderbird to "not interfere" with your meetings unless absolutely necessary.

Finally, the presence of elements of calendar and address book in the Account Hubso that they only appear when resources are configured, reducing visual noise for those who only use the client as an email manager.

OpenPGP, GPGME and encryption: advanced options for demanding users

In the most recent versions, an advanced preference called mail.openpgp.load_untested_gpgme_versionDesigned for advanced users and administrators, this option allows you to load versions of the GPGME cryptographic library that have not yet been officially validated with Thunderbird. This is useful in Linux distributions that are ahead in terms of library versions or in environments that need to adopt very recent security patches.

Beyond this adjustment, the client still includes by default OpenPGP support, calendar, task manager, and PDF viewerSo, once installed, it already covers the needs of most users without having to immediately install extensions.

For those who handle particularly sensitive information or work in regulated sectors, the fact that Thunderbird is open source It allows for external audits of the code and cryptographic implementation. This offers a much higher degree of transparency than closed solutions, where you essentially have to take the vendor's word for it.

At the same time, the ecosystem of extensions remains a strong point to complement these capabilities: tools can be added to schedule email sending, automate complex rules, integrate workflows with other services, and much more, without losing control over the data.

Thunderbird Pro and the game-changer against Gmail and Microsoft 365

Beyond the desktop client, the project is working on Thunderbird ProA strategic bet that seeks to offer a complete ecosystem of services along the lines of what Gmail or Microsoft 365 offer today, but maintaining the philosophy of open source, privacy, and user controlThe idea is to cover email, calendar, and file sharing with our own subscription-based services.

Among the announced services, three key elements stand out: Thundermail (email hosting), Appointment (coordination of schedules and appointment links) and SEND (Sending encrypted files with up to 500 GB of storage for Pro subscribers). All are based on open standards such as IMAP, SMTP, or JMAP, avoiding closed protocols designed to "tie" the user.

Thundermail, for example, relies on IMAP, SMTP and JMAP from day oneThis ensures compatibility not only with Thunderbird, but also with other modern clients. Furthermore, the infrastructure is designed with data sovereignty in mind: priority is given to hosting in Germany and other EU locations, so that it can comply with GDPR and data residency requirements of European organizations.

Appointment has evolved from a standalone web app to a solution integrated directly into the compose window Thunderbird's built-in feature allows you to insert appointment booking links without leaving the email flow. It will support different types of meetings (video calls, phone, in-person) and is working on group scheduling capabilities linked to standards like VPOLL.

Send, for its part, is inspired by the old Firefox Send, but rebuilt to allow share encrypted files without relying on large proprietary platforms like Drive or OneDrive. Its goal is to offer a serious alternative for sending large or sensitive documents to clients and collaborators, while maintaining control over where and how they are stored.

Market context, alternatives and the role of Mailbird

Thunderbird's move doesn't happen in a vacuum: the market of Email clients and productivity are growing stronglywith forecasts placing it at tens of billions of dollars in the coming years. Although Outlook, Gmail, and Apple Mail dominate in volume, there is a growing niche for solutions that prioritize privacy or personalization.

Many power users feel caught between the convenience of integrated ecosystems and the lack of control and privacy they entail. Providers like Microsoft are reaching out to share data with hundreds of external partners in their services, which for certain professional profiles is, quite simply, unacceptable.

In that context, in addition to Thunderbird, there appears mailbird As a business alternative focused on productivity and modern design, it offers integration with over 40 third-party apps (Slack, Google Calendar, Asana, Trello, etc.), unified inboxes, features like Speed ​​Reader for very fast email processing, and a multi-platform license that covers Windows and macOS with a single purchase.

Mailbird focuses more on be a productivity hub with native integrations It doesn't offer built-in encryption or its own hosting services, and it uses a data model that collects usage metrics but doesn't monetize them through advertising or sell them to third parties. It's a middle ground between the extreme control offered by Thunderbird and the data exploitation model of the major providers.

For organizations in regulated sectors, however, the decisive factor often remains the data sovereignty and the possibility of self-hosting servicesThat's where the combination of desktop Thunderbird, Thunderbird Pro services, and on-premises deployment options can tip the scales against purely commercial alternatives.

Migrations, modern authentication, and medium-term planning

Changing email clients or ecosystems is not trivial. Anyone with years of archived emails, complex filtering rules, and dozens of folders should plan the migration calmly, set aside time for testing and, if it is a company, organize basic user training.

Thunderbird makes much of the process easier thanks to its compatibility with standard formats such as MBOX or EML...as well as with protocols like IMAP that minimize the risk of message loss. Even so, it's prudent to plan a parallel operation period (old client + new client) to validate that everything works before making the final switch.

Another aspect to monitor is changes in the suppliers themselves. A clear example is Microsoft and the withdrawal of support for basic authentication in Outlook.com and other services, which requires ensuring that the client we use supports modern methods such as OAuth2 or more robust variants such as those used in Thunderbird 148 with PKCE.

Microsoft's schedule also needs to be taken into account. Disabling Exchange Web Services in Exchange Online in 2026. Organizations that want to bet on Thunderbird with Exchange in the cloud should closely monitor the progress of the integration with Microsoft Graph and, if necessary, maintain contingency plans.

In terms of cost, the Thunderbird desktop client will remain free and funded by donationsThunderbird Pro will have a subscription price (with "early bird" rates around nine dollars per month for initial users) that includes hosted email, appointments, and file sharing. In contrast, alternatives like Mailbird rely on a one-time license or annual subscription that only covers the client, not hosting.

With all this in mind, Thunderbird is establishing itself as a very serious option for those who want A robust email and calendar client with advanced security, modern authentication, good Exchange support, and its own ecosystem of services. that doesn't sacrifice privacy on the altar of convenience. The latest releases, especially the 140 ESR, 141, 145, and 148 branches, have ironed out lingering bugs, strengthened encryption and authentication, improved the handling of complex calendars, and paved the way for a future where competing head-to-head with proprietary giants is a tangible reality for users who don't want to relinquish control of their data.